## https://sploitus.com/exploit?id=3BCADBAC-E6C7-5B3A-84E1-6938398220F9
# DOMPurify ` re-clone bypass.
Instead of relying on easily stripped source comments or version variables, this tool performs logic fingerprinting on minified production JavaScript bundles to identify unpatched allowed-tag layouts.
## Vulnerability Summary
In DOMPurify versions up to 3.4.4, the `` element was allowed by default. This creates a logic flaw where browser DOM mutations refresh the re-cloned subtree *after* DOMPurify has already executed its sanitization pass, leading to an absolute XSS bypass when the payload is injected into the DOM.
## Features
- Framework-agnostic (Works with React, Vue, Angular, or Vanilla JS bundle structures)
- Automated dynamic JS asset parsing from root paths
- Case-insensitive static analysis on compiled production code
## Proof of Concept
## Usage
```bash
# Clone the repository
git clone https://github.com/Galaxy-sc/CVE-2024-48910-dompurify-mxss-detector.git
cd CVE-2024-48910-dompurify-mxss-detector
# Run against a target using parameters
go run CVE-2024-48910.go -u https://example.com
```
## Remediation
Update `dompurify` to version `3.4.5` or higher via your package manager:
```bash
npm install dompurify@3.4.5
```
If an immediate upgrade is not feasible, manually block the tag in your config layout:
```javascript
DOMPurify.sanitize(userInput, { FORBID_TAGS: ['selectedcontent'] });
```